Siemens SIPROTEC 5 Devices Null Pointer Dereference (CVE-2023-28766)

high Tenable OT Security Plugin ID 501142

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V9.40), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions < V9.40), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MU85 (CP300) (All versions < V9.40), SIPROTEC 5 7KE85 (CP200) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions < V9.40), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions < V9.40), SIPROTEC 5 7SA84 (CP200) (All versions), SIPROTEC 5 7SA86 (CP200) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions < V9.40), SIPROTEC 5 7SA87 (CP200) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions < V9.40), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions < V9.40), SIPROTEC 5 7SD84 (CP200) (All versions), SIPROTEC 5 7SD86 (CP200) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions < V9.40), SIPROTEC 5 7SD87 (CP200) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions < V9.40), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions < V9.40), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions < V9.40), SIPROTEC 5 7SJ85 (CP200) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions < V9.40), SIPROTEC 5 7SJ86 (CP200) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions < V9.40), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions < V9.40), SIPROTEC 5 7SK85 (CP200) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions < V9.40), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions < V9.40), SIPROTEC 5 7SL86 (CP200) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions < V9.40), SIPROTEC 5 7SL87 (CP200) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions < V9.40), SIPROTEC 5 7SS85 (CP200) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions < V9.40), SIPROTEC 5 7ST85 (CP200) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions < V9.40), SIPROTEC 5 7SX82 (CP150) (All versions < V9.40), SIPROTEC 5 7SX85 (CP300) (All versions < V9.40), SIPROTEC 5 7UM85 (CP300) (All versions < V9.40), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions < V9.40), SIPROTEC 5 7UT85 (CP200) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions < V9.40), SIPROTEC 5 7UT86 (CP200) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions < V9.40), SIPROTEC 5 7UT87 (CP200) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions < V9.40), SIPROTEC 5 7VE85 (CP300) (All versions < V9.40), SIPROTEC 5 7VK87 (CP200) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions < V9.40), SIPROTEC 5 7VU85 (CP300) (All versions < V9.40), SIPROTEC 5 Communication Module ETH-BA-2EL (All versions < V9.40), SIPROTEC 5 Communication Module ETH-BB-2FO (All versions < V9.40), SIPROTEC 5 Communication Module ETH-BD-2FO (All versions < V9.40), SIPROTEC 5 Compact 7SX800 (CP050) (All versions < V9.40). Affected devices lack proper validation of http request parameters of the hosted web service. An unauthenticated remote attacker could send specially crafted packets that could cause denial of service condition of the target device.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet, available:

- SIPROTEC 5 6MD85 (CP300): Update to v9.40 or later
- SIPROTEC 5 6MD86 (CP300): Update to v9.40 or later
- SIPROTEC 5 6MU85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7KE85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SA82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SA86 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SA87 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SD82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SD86 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SD87 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SJ81 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SJ82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SJ85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SJ86 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SK82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SK85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SL82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SL86 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SL87 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SS85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7ST86 (CP300): Update to v9.40 or later
- SIPROTEC 5 7SX82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7SX85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7UM85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7UT82 (CP150): Update to v9.40 or later
- SIPROTEC 5 7UT85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7UT86 (CP300): Update to v9.40 or later
- SIPROTEC 5 7UT87 (CP300): Update to v9.40 or later
- SIPROTEC 5 7VE85 (CP300): Update to v9.40 or later
- SIPROTEC 5 7VK87 (CP300): Update to v9.40 or later
- SIPROTEC 5 7VU85 (CP300): Update to v9.40 or later
- SIPROTEC 5 Communication Module ETH-BA-2EL: Update to v9.40 or later
- SIPROTEC 5 Communication Module ETH-BB-2FO: Update to v9.40 or later
- SIPROTEC 5 Communication Module ETH-BD-2FO: Update to v9.40 or later
- SIPROTEC 5 Compact 7SX800 (CP050): Update to v9.40 or later

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Block access to port 4443/TCP e.g. with an external firewall

Worldwide regulations for critical power systems (e.g. TSOs or DSOs) usually require multi-level redundant secondary protection schemes to build resilience into power grids. It is recommended that operators check whether appropriate resilient protection measures are in place to minimize the risk of cyber incidents impacting the grid's reliability.

Siemens recommends that operators:

- Apply provided security updates using the corresponding tooling and documented procedures made available with the product.
- Automatically apply security updates across multiple product instances if automation is supported by the product.
- Validate any security update before being applied. It is recommended to perform the update process under the supervision of trained staff in the target environment.
- Protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN) as a general security measure.

In order to run the devices in a protected IT environment, it is advised to configure the environment according to Siemens operational guidelines.

Recommended security guidelines can be found at Siemens’ grid security page.

For more information, see the associated Siemens security advisory SSA-322980 in HTML and CSAF.

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-322980.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-06

Plugin Details

Severity: High

ID: 501142

Version: 1.8

Type: remote

Family: Tenable.ot

Published: 5/16/2023

Updated: 12/9/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-28766

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:siprotec_5_7sa87_firmware, cpe:/o:siemens:siprotec_5_7um85_firmware, cpe:/o:siemens:siprotec_5_7ut87_firmware, cpe:/o:siemens:siprotec_5_7sj81_firmware, cpe:/o:siemens:siprotec_5_7sx85_firmware, cpe:/o:siemens:siprotec_5_compact_7sx800_firmware, cpe:/o:siemens:siprotec_5_7sj86_firmware, cpe:/o:siemens:siprotec_5_7sl82_firmware, cpe:/o:siemens:siprotec_5_6md85_firmware, cpe:/o:siemens:siprotec_5_7ut85_firmware, cpe:/o:siemens:siprotec_5_7st86_firmware, cpe:/o:siemens:siprotec_5_7sd82_firmware, cpe:/o:siemens:siprotec_5_7ke85_firmware, cpe:/o:siemens:siprotec_5_7ut82_firmware, cpe:/o:siemens:siprotec_5_7ve85_firmware, cpe:/o:siemens:siprotec_5_7vk87_firmware, cpe:/o:siemens:siprotec_5_7sl87_firmware, cpe:/o:siemens:siprotec_5_7sa86_firmware, cpe:/o:siemens:siprotec_5_7sa82_firmware, cpe:/o:siemens:siprotec_5_6md89_firmware, cpe:/o:siemens:siprotec_5_6md86_firmware, cpe:/o:siemens:siprotec_5_7sd86_firmware, cpe:/o:siemens:siprotec_5_7ss85_firmware, cpe:/o:siemens:siprotec_5_7st85_firmware, cpe:/o:siemens:siprotec_5_7sj82_firmware, cpe:/o:siemens:siprotec_5_7sj85_firmware, cpe:/o:siemens:siprotec_5_7sk85_firmware, cpe:/o:siemens:siprotec_5_7sl86_firmware, cpe:/o:siemens:siprotec_5_7sd87_firmware, cpe:/o:siemens:siprotec_5_6mu85_firmware, cpe:/o:siemens:siprotec_5_7sk82_firmware, cpe:/o:siemens:siprotec_5_7ut86_firmware, cpe:/o:siemens:siprotec_5_7sx82_firmware, cpe:/o:siemens:siprotec_5_7vu85_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 4/11/2023

Vulnerability Publication Date: 4/11/2023

Reference Information

CVE: CVE-2023-28766

CWE: 476

ICSA: 23-103-06